Biometrics Won’t Solve Our Data-Security Crisis

Executive Summary

600 years ago, England created the first documentation for people to prove their identities. Surprisingly little has changed since then, at least in the U.S. We’ve depended on driver’s licenses, social security numbers, and password for far too long. It’s time to do better. Widespread adoption of biometrics holds the promise of a more secure way to prove identity but comes with its own challenges. One concern is whether biometrics can be leveraged successfully across multiple transaction types and platforms. Privacy concerns will invariably arise, too. If companies can’t keep your credit card information safe, how likely is it that they’ll secure your biometric data? Unfortunately, it would be naïve to believe that a self-regulating approach to these types of data collection behaviors will work. If we as a society really want to encourage greater identification and authentication capabilities from government and private industry, then government and industry will have to leverage more and more consumer-facing technology while creating trust among consumers.

4×6/Getty Images

The history of proving one’s identity with official documentation dates back 600 years to the realm of King Henry V in England. Prior to that, your name and local reputation was pretty much all you needed to prove who you were. The Safe Conducts Act of 1414 created the first documentation for the English to prove themselves as subjects of the king when outside England: Thus, the creation of the first official passport.

Surprisingly little has changed since then, at least in the U.S.: Your driver’s license is the default proof of identity for everything from flying domestically to buying a new house. For transactions over the phone or internet, we rely on publicly available information to verify identity (name, address, where you went to high school). If we really want to be secure, we rely on our Social Security number, nine digits that were assigned to us at birth, are nearly impossible to change, and have probably been exposed through theft, loss, or both. If we want to add another layer of security, we may use a password, which, as repeated studies show, is probably the same for all of our accounts. And in rare cases we may use two-factor authentication.

After 600 years, it’s time to do a little better.

Identity verification and security have always been considered two distinct yet related concepts. For most consumers and businesses these lines have bled into one another so that verification of identity is a cornerstone of good security. Therefore, in order for new identity verification approaches to be widely adopted by government and business, they will need to leverage multiple layers of currently available information and technologies to help individuals prove identity to a prospective employer, creditor, educational institution, etc.

Insight Center

Current consumer technologies offer intriguing ways to generate dynamic data as identifiers, such as where an individual is (IP address/Geolocation/mobile device or number/application or social network) or something an individual is (biometric/genetic/behavioral data). With these approaches, we can start to see the identity verification model of the future take shape. At the same time, we can anticipate friction as new forms of identity verification are integrated into old systems (technological, business, and social systems) with the potential for further erosions of privacy.

With widespread distribution of smartphones equipped with fingerprint readers and audio and video capture, verification technologies like fingerprint and iris scans and facial recognition are in our pockets now. Widespread adoption of biometrics holds the promise of a more secure way to prove identity but comes with its own challenges.

One concern around physical biometrics is whether it can be leveraged successfully across multiple transaction types and platforms. There is a beauty in the simplicity of the nine-digit SSN. The SSN is easy and low tech. You can use old technology like a land line to enter your SSN or you can relay it to a call center employee in India who can verify it. While using iris or fingerprint scans may verify your identity more securely, they’re problematic for interactions carried out over traditional land line phones, older computers, or whenever the user is not physically present.

As we begin to see the increased use of physical biometrics in interactions both where the consumer is present and not present, privacy concerns will invariably arise. While biometric data will typically reside on the smart phone or device itself, outside applications could easily tap the data for other uses allowed by the fine print of privacy polices and terms of use. Much like credit data, we could soon have a burgeoning cottage industry in what I call extrapolated uses of biometric data.

Businesses already analyze customer data to infer characteristics they can’t know for sure and extrapolate likely behaviors. For instance, based on your credit score, profession, age group, or zip code, marketers infer that you fit into specific marketing demographics. It has already been demonstrated that facial image scans can be used to guess a person’s sexual orientation using algorithms that deliver a remarkable level of accuracy (while raising obvious ethical and privacy questions, too). Characteristics such as race, gender, age, and even economic class and health condition could be collected easily through facial recognition applications. Government agencies, businesses, and data traders could use the information to further classify and categorize an individual, then go on to rely upon it for a range of decisions from the mundane (target marketing) to the discriminatory (job screening).

Behavioral biometrics is a newer area that extends traditional biometrics to focus on discernible patterns in mundane human activities, which can be used as key identifiers for the individual. For instance, one could identity unique patterns in a typist’s keystroke dynamics or their mouse usage. You can measure writing pressure using signature analysis technology or track “gaze based” behavior — passively but constantly analyzing the way your eyes track across your device’s screen. Even the use of geolocation data can be leveraged as behavioral biometric data since it reveals patterns about an individual’s unique schedule.

Behavioral biometrics become more dependable the longer they can track our behavior and find patterns. Like big data analytics that rely on constant data collection, behavioral biometrics can easily spill into questionable areas outside of identity verification. For instance, a behavioral biometrics solution that uses typing or texting pattern data on individuals might see pattern shifts by a user every Thursday, Friday, and Saturday night. When cross referenced with data purchased from a third-party finance app that knows the same individual’s payment card spending habits at the local bar, suddenly you can see the value of behavioral biometrics to the liquor, beer, and wine industry. Perhaps the extrapolated marketing use points to a heavy drinker in a desirable economic demographic or with a preferred liquor brand. But on the other side, your life insurance company or health insurance company may be interested in that information for very different reasons.

Geolocation based behavioral biometric patterns can reveal exercise regimens (how often and how much time you spend at the gym) or work schedules (how much time you spend at the office) or when and where you go to the doctor or pick up your kids. Behavioral biometrics can become a passive watcher that triggers a flag when it recognizes a break in the usual pattern, similar to the expert systems that flag credit card fraud. It could be a powerful tool to root out identity thieves. The dark side of this approach is the potential misuse of its data collection by everyone from insurance companies to divorce lawyers.

And that is the crux of the problem: If we as a society really want to encourage greater identification and authentication capabilities from government and private industry, then government and industry will have to leverage more and more consumer-facing technology while creating trust among consumers. Individuals need to trust that the same verification data they use to authenticate with their bank won’t also be shared with third parties looking for specific and marketable data.

Unfortunately, it would be naïve to believe that a self-regulating approach to these types of data collection behaviors will work. The information to be gained from a marketer’s perspective is just too juicy. The only way to ensure that businesses and government, as well as the public they serve, can move to the next stage in identification and security is to legislate restrictive uses of these types of authentication data and the information gleaned from it. While general consensus under privacy regimes in North America and Europe is that biometric data is personal information, the restrictive use of that data under both current and pending regulations is opaque at best.

The Equifax data breach was a turning point in the country’s personal identification system. In a global market where 144 million unique U.S. Social Security numbers have been released into the wild, the time to integrate added security into our identity verification regime is upon us. However, doing so requires a careful consideration of the downstream consequences and unintended uses of new technologies like biometrics.

Remember our old friend the Social Security number? At 80+ years old, what was originally intended as a simple means to identify Social Security beneficiaries morphed into an identifier for creditworthiness, state and federal income tax payment, a Medicare identifier and more. To expect that new forms of identification and verification won’t also be co-opted in unintended ways would be foolish at best and dangerous at worst.

Let’s take a wiser route this time. By combining biometric security with strong privacy protections, we’ll take a significant step beyond King Henry V’s first English passport at last.

Eduard Goodman is Global Privacy Officer at CyberScout, the leading data security and identity theft protection firm. An internationally trained attorney and data protection expert, Goodman has nearly 15 years of experience in privacy law, fraud, and identity management.